GAO INFORMATION SECURITY. Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "GAO INFORMATION SECURITY. Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk"

Transcription

1 GAO United States Government Accountability Office Report to Congressional Committees November 2010 INFORMATION SECURITY Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk GAO-11-43

2 Accountability Integrity Reliability Highlights of GAO-11-43, a report to congressional committees November 2010 INFORMATION SECURITY Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk Why GAO Did This Study Over the past several years, federal agencies have rapidly adopted the use of wireless technologies for their information systems. In a 2005 report, GAO recommended that the Office of Management and Budget (OMB), in its role overseeing governmentwide information security, take several steps to help agencies better secure their wireless networks. GAO was asked to update its prior report by (1) identifying leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks and (2) assessing agency efforts to secure wireless networks, including their vulnerability to attack. To do so, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these 5 agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration. What GAO Recommends GAO is making two recommendations to OMB to enhance governmentwide oversight and four recommendations to the Department of Commerce for additional guidelines related to wireless security. The Department of Commerce concurred with GAO s recommendations. OMB did not provide comments on the report. View GAO or key components. For more information, contact Gregory Wilshusen at (202) or or Nabajyoti Barkakati at (202) or What GAO Found GAO identified a range of leading security practices for deploying and monitoring secure wireless networks and technologies that can help secure these networks. The leading practices include the following: comprehensive policies requiring secure encryption and establishing usage restrictions, implementation practices, and access controls; a risk-based approach for wireless deployment and monitoring; a centralized wireless management structure that is integrated with the management of the existing wired network; configuration requirements for wireless networks and devices; incorporation of wireless and mobile device security in training; use of encryption, such as a virtual private network for remote access; continuous monitoring for rogue access points and clients; and regular assessments to ensure wireless networks are secure. Agencies have taken steps to secure their wireless networks, but more can be done to improve security and to limit vulnerability to attack. Specifically, application was inconsistent among the agencies for most of the following leading practices: Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dualconnected laptops and mobile devices taken on international travel. All agencies required a risk-based approach for management of wireless technologies. Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide. The five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smartphone configurations. Most agencies were missing key elements related to wireless security in their security awareness training. Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access. Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks. Existing governmentwide guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices. Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack. United States Government Accountability Office

3 Contents Letter 1 Background 2 Comprehensive Policies, Use of Secure Technologies, Risk-Based Approach, Training, and Monitoring Among Leading Practices for Deploying and Monitoring Secure Wireless Networks 17 Agencies Have Acted to Secure Wireless Networks, but Additional Steps Are Needed to Effectively Mitigate Security Challenges 26 Conclusions 37 Recommendations for Executive Action 38 Agency Comments and Our Evaluation 39 Appendix I Objectives, Scope, and Methodology 40 Appendix II Comments from the Department of Commerce 43 Appendix III GAO Contacts and Staff Acknowledgments 45 Tables Table 1: Examples of Network Security Threats 8 Table 2: Wireless Security Guidelines Identified in NIST Guidelines 13 Table 3: Guidelines in NIST Publications Addressing Recommendations from GAO Table 4: Leading Practices for Securing Wireless Networks and Technologies 17 Figures Figure 1: Example of a Wireless Infrastructure Mode Network 4 Figure 2: Example of Wireless Ad Hoc Networking 5 Figure 3: Dual-Connect Attack Scenario 10 Figure 4: Wireless Man-in-the-Middle Attack Scenario 11 Figure 5: Smartphone Data Attack Scenario 11 Page i

4 Abbreviations DISA Defense Information Systems Agency DHS Department of Homeland Security EAP extensible authentication protocol FDCC Federal Desktop Core Configuration FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act IEEE Institute of Electrical and Electronics Engineers IT information technology IPv6 Internet protocol version 6 NIST National Institute of Standards and Technology OMB Office of Management and Budget PDA personal digital assistant SP Special Publications VPN virtual private network WEP wired equivalent privacy WiMAX Worldwide Interoperability for Microwave Access WPA Wi-Fi Protected Access WLAN wireless local area network This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii

5 United States Government Accountability Office Washington, DC November 30, 2010 The Honorable Richard J. Durbin Chairman The Honorable Susan Collins Ranking Member Subcommittee on Financial Services and General Government Committee on Appropriations United States Senate The Honorable José E. Serrano Chairman The Honorable Jo Ann Emerson Ranking Member Subcommittee on Financial Services and General Government Committee on Appropriations House of Representatives In the last several years, federal agencies have increasingly adopted the use of wireless technologies. While wireless technologies provide many potential benefits, including greater flexibility for a mobile workforce and ease of installation and use, they also pose significant risks to information and systems. Wireless technologies use radio waves instead of direct physical connections to transmit data between networks and devices. As a result, without proper security precautions, these data can be more easily intercepted and altered than if being transmitted through physical connections. We have previously reported on the security of wireless networks at federal agencies in The conference report accompanying the Financial Services and General Government Appropriations Act, 2010, directed us to update our 2005 report. 2 Accordingly, our objectives for this report were to: (1) identify leading practices and state-of-the-art 1 GAO, Information Security: Federal Agencies Need to Improve Controls over Wireless Networks, GAO (Washington, D.C.: May 17, 2005). 2 H.R. Conf. Rep. No , at 914 (2009). We briefed the committees on the preliminary results of our review on April 13, Page 1

6 technologies for deploying and monitoring secure wireless networks and (2) assess agency efforts to secure wireless networks, including their vulnerability to attack. To identify leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks, we obtained and reviewed publications, guidance, and other documentation, and interviewed private and federal subject matter experts. To assess agency efforts to secure wireless networks, we reviewed agency documents and conducted structured interviews with agency officials to learn about the wireless posture at 24 major federal agencies. 3 We supplemented these questions with site visits and detailed testing of wireless security controls at five of the agencies. We conducted this performance audit from January 2010 to November 2010, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I contains additional details on the objectives, scope, and methodology of our review. Background The advantages of wireless technology for federal agencies include increased flexibility, easier installation, and easier scalability than wired technologies. If a federal agency has installed a wireless infrastructure, users with wireless-enabled devices can more easily connect to the agency s network throughout its facilities. In addition, agency employees traveling with wireless-enabled devices may be able to connect to an agency network via any one of the many public Internet access points or hot spots. Installation can be easier and less costly because the network can be established without having to pull cables through walls or ceilings or modify the physical network infrastructure. Wireless networks can also 3 The 24 major federal agencies are the Agency for International Development; the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration. Page 2

7 be easily scaled from small peer-to-peer networks to very large enterprise networks. For example, an agency can greatly expand the size of its wireless network and the number of users it can serve by increasing the number of access points. The following wireless technologies are commonly used by federal agencies: wireless local area network (WLAN) a group of wireless networking nodes within a limited geographic area that serve as an extension to existing wired local area networks; wireless personal area network used to establish small-scale wireless networks such as those using Bluetooth, which is an open standard for short-range communication; and wireless cellular networks a telecommunications network managed by a service provider that supports smartphones, which offer the ability to provide data such as and Web browsing wirelessly over cellular networks, and cellular data cards, which provide Internet connectivity to laptop computers. Wireless Local Area Networks WLANs are generally composed of two basic elements: access points and other wireless-enabled client devices, such as laptop computers. These elements rely on radio transmitters and receivers to communicate with each other. Access points are physically wired to a conventional network and provide a means for wireless devices to connect to them. WLANs that are based on the Institute of Electrical and Electronics Engineers 4 (IEEE) standards are also known as Wi-Fi. WLANs are characterized by one of the following two basic structures, referred to as infrastructure mode and ad hoc mode: Infrastructure mode. By deploying one or more access points that broadcast overlapping signals, an organization can achieve broad wireless network coverage. Infrastructure mode enables a laptop or other mobile device to be moved about freely while maintaining access to the resources of the wired network (see fig. 1). 4 IEEE is a professional association focused on electrical and computer sciences, engineering, and related disciplines. IEEE is responsible for developing technical standards through the IEEE Standards Association, which follows consensus-based standards development processes. Page 3

8 Figure 1: Example of a Wireless Infrastructure Mode Network Traditional wired network Wireless access point Sources: GAO; Microsoft Visio and Art Explosion (images). Ad hoc mode. This type of wireless structure allows wireless devices that are near one another to easily interconnect. In ad hoc mode, wirelessenabled devices can share network functionality without the use of an access point or a wired network connection (see fig. 2). Page 4

9 Figure 2: Example of Wireless Ad Hoc Networking Sources: GAO; Microsoft Visio and Art Explosion (images). After approval of the initial IEEE standard in 1997, IEEE released several amendments to increase WLAN network speeds to be more comparable to that of wired networks. The standard and these subsequent amendments include security features known collectively as wired equivalent privacy (WEP). However, configurations that use WEP have significant security flaws. To address these flaws, IEEE released the i security standard in 2004, which specifies security components that work together with transmission standards. The IEEE i security standard supports wireless connections that provide moderate to high levels of assurance against WLAN security threats through the use of different cryptographic techniques. While IEEE was developing i, the Wi-Fi Alliance 5 developed the Wi- Fi Protected Access (WPA) security certification as an interim means to 5 The Wi-Fi Alliance is a nonprofit international association that has the goal of certifying the interoperability of WLAN products based on IEEE specifications. Page 5

10 improve security over WEP. The protocols used under the WPA certification address vulnerabilities of WEP, but the certification does not require support for strong encryption. In conjunction with the ratification of the i security standard in 2004, the Wi-Fi Alliance introduced WPA2 the interoperability certification for i. The WPA2 certification extends the security capabilities offered by WPA to include all requirements of the i standard. Both WPA and WPA2 offer two modes of operation: Personal and Enterprise. WPA2-Personal protects unauthorized network access by using a preshared password as a key for network setup and access, while WPA2-Enterprise verifies network users through an authentication server. In most cases, WPA2-Enterprise is recommended to eliminate the continuous process of generating, deploying, and replacing outdated passwords. Although WPA2-Enterprise-certified products provide more security protections than WEP and WPA, recent reports revealed that wireless networks protected with WPA2-Enterprise encryption can also be susceptible to attacks. Most recently, in 2009, IEEE ratified the w-2009 standard, which further increases the overall security of based networks. Specifically, w-2009 provides improved protection for WLANs by defining additional encryption security features to help prevent incidents such as denial of service attacks against WLANs. Wireless Personal Area Networks Wireless personal area networks provide wireless connectivity to devices such as telephone headsets or computer keyboards within close proximity. Bluetooth is commonly used to establish these types of networks. Several versions of the Bluetooth standard have been adopted by the Bluetooth Special Interest Group. 6 Each Bluetooth device must operate in one of the four security modes defined by the Bluetooth standard. Each version of Bluetooth supports some, but not all, of these modes. 6 The Bluetooth Special Interest Group is a not-for-profit trade association developed to serve as the governing body for Bluetooth specifications. Page 6

11 Wireless Cellular Networks Cellular networks are managed by service providers who provide coverage based on dividing a large geographical service area into smaller areas of coverage called cells. As a mobile phone moves from one cell to another, a cellular arrangement requires active connections to be monitored and effectively passed along between cells to maintain the connection. In addition to cellular phones, cellular networks support smartphones and cellular data cards. Smartphones offer more functionality than basic cellular phones, including and other office productivity applications and have extended expansion capabilities through peripheral card slots and other built-in wireless communications such as Bluetooth and Wi-Fi. Cellular data cards allow laptop users to connect to the Internet anywhere cellular service is available. However, cellular data cards can only access the Internet if the user is within the service provider s network coverage area. Federal Agencies Make Widespread Use of Wireless Technologies Agencies reported significant use of WLANs to extend working mobility for employees and contractors. For example, 18 agencies reported using WLANs in a variety of ways. Five agencies reported having wireless networks available for headquarters along with field offices or components. Twelve other agencies reported that components have different wireless practices than headquarters. For example, one major agency reported no WLANs at its headquarters, but it has components that use them. Further, several agencies use wireless networks for more limited purposes than connecting to the core agency network. Specifically, five agencies reported offering WLANs that connect directly to the Internet for use in conference rooms or other public spaces. Another agency reported using wireless access points to provide Internet connectivity at outdoor construction sites. Personal area networks using Bluetooth technology were also reported by many agencies. Specifically, 14 agencies reported using Bluetooth devices. Ten agencies reported permitting cellular phone users to connect wireless headsets, and four agencies reported permitting wireless keyboards or mice. Agencies also reported extensive use of smartphones and cellular data cards. All 24 agencies we queried reported using smartphones, primarily the BlackBerry brand. Agencies smartphone management structures included: management through a central server located at the department level or at the component level and one component or office providing smartphone management to another office. Seventeen agencies reported using cellular data cards to provide Internet connectivity to user laptops. Page 7

12 These cards and services are typically provided by commercial telecommunications carriers. Wireless Technologies Are Susceptible to Security Risks Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. The risk to these systems is well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology. Table 1 provides a compilation of threats to wireless and wired networks as identified by the National Institute of Standards and Technology (NIST). Table 1: Examples of Network Security Threats Denial-of-service Eavesdropping Man-in-the-middle Masquerading Message modification Message replay Misappropriation Traffic analysis Preventing or limiting the normal use or management of networks or network devices. Passively monitoring network communications for data, including authentication credentials. Actively impersonating multiple legitimate parties, such as appearing as a client to an access point and appearing as an access point to a client. Allows attacker to intercept communications between an access point and a client, thereby obtaining authentication credentials and data. Impersonating an authorized user and gaining unauthorized privileges. Altering a legitimate message by deleting, adding to, changing, or reordering it. Passively monitoring transmissions and retransmitting messages, acting as if the attacker were a legitimate user. Stealing or making unauthorized use of a service. Passively monitoring transmissions to identify communication patterns and participants. Source: GAO analysis of NIST data. Wireless networks also face challenges that are unique to their environment. A significant difference between wireless and wired networks is the relative ease of intercepting WLAN transmissions. For WLANs, attackers only need to be in range of wireless transmissions and do not have to gain physical access to the network or remotely compromise systems on the network. WLANs also have to protect against the deployment of unauthorized wireless devices, such as access points, Page 8

13 that are configured to appear as part of an agency s wireless network infrastructure. In implementing wireless networks, federal agencies need to address these challenges to maintain the confidentiality, integrity, and availability of the information. Bluetooth-enabled devices are susceptible to general networking threats and are also threatened by more specific Bluetooth-related attacks such as bluesnarfing, which enables attackers to gain access to a Bluetoothenabled device by exploiting a software flaw in older devices. Smartphones are also susceptible to general networking threats and face additional security risks. Those risks include those caused by their size and portability, as well as the availability of different wireless interfaces and associated services. For example, the size and portability of smartphones can result in the loss of physical control of a device that could reveal sensitive data to an unauthorized user. Recent articles released by the media reinforce the need for federal agencies to secure their wireless networks and devices. Examples of reported incidents and risks include the following: A retail company admitted in 2007 that hackers located and tested wireless networks for vulnerabilities and installed programs on these networks to steal the credit card information of more than 45 million consumers. An assessment of wireless vulnerability conducted in 2008 at 27 airports that had wireless networks found that personal information could be leaked because only 3 percent of hot spot users used a virtual private network (VPN) 7 to encrypt their data. In 2009, a counterintelligence official described how smartphones could have been tagged, tracked, monitored, and exploited at the 2008 Beijing Olympics. The malicious software could have also posed a threat to servers in the United States. 7 A VPN is a private network that is maintained across a shared or public network, such as the Internet, by means of specialized security procedures. VPNs are intended to provide secure connections between remote clients, such as branch offices or traveling personnel and a central office. Page 9

14 Scenarios Provide Examples of Attacks Using Wireless Vulnerabilities The following scenarios (figs. 3-5) provide examples of well-known attacks used to exploit vulnerabilities in wireless technologies. These scenarios do not represent all possible attacks on wireless technology vulnerabilities. In a dual-connect scenario (see fig. 3), the attacker exploits insecure laptop configurations to gain unauthorized access to an organization s core network. Figure 3: Dual-Connect Attack Scenario 1 2 A target laptop has a wired connection to the agency network. With wireless enabled, the target laptop automatically looks for any previously connected wireless networks by network name. An attacker with a scanning tool can identify wireless network names and deploy a rogue wireless access point with the same name as one of the previously connected wireless networks. 5 With unauthorized access to an agency network, an attacker is capable of destroying, modifying, or copying sensitive information. Target Attacker 3 While still connected to the agency network, the target laptop automatically connects to the rogue wireless access point, creating a dual connection, i.e., the target laptop has both an active wired and wireless connection. Wireless Hard-wired Agency core wired network 4 While connected to the rogue wireless access point, the target laptop can be probed and vulnerabilities exploited that could provide an attacker with access to the agency network through the target laptop. Source: GAO; Art Explosion (images). Wireless man-in-the-middle attacks (see fig. 4) use an insecure laptop configuration to intercept or alter information transmitted wirelessly between the target laptop and a wireless access point. Page 10

15 Figure 4: Wireless Man-in-the-Middle Attack Scenario 1 While located between a target laptop and a legitimate wireless access point, an attacker impersonates the legitimate access point. Attacker Target 2 The target laptop unintentionally connects to the rogue wireless access point, which acts as a man-in-the-middle, reading and then relaying information to the legitimate access point. 3 The rogue wireless access point can then intercept network communications between the target laptop and the legitimate access point. Legitimate wireless access point 4 As a result, the attacker could read and modify sensitive data in transmission, or inject malicious code to infect the target laptop. Source: GAO; Art Explosion (images). Attacks on smartphones (see fig. 5) can involve stealing data or injecting malicious code using phone storage cards. Figure 5: Smartphone Data Attack Scenario 1 2 Smartphones have the capability to store data on removable storage cards. If this capability is not disabled and the target phone is left unattended, an attacker could replace the storage card with a card with malicious code or simply remove the storage card with its contents that could include sensitive information. Source: GAO. Page 11

16 Federal Laws and Guidelines Provide a Framework for Wireless Security Policies The Federal Information Security Management Act (FISMA) of 2002 requires each agency to develop, document, and implement an agencywide information security program to provide security for the data and information systems that support the agency s operations and assets. 8 Significant amounts of agency data are stored on and transmitted through wireless devices and networks. Wireless technologies are often important parts of the information systems that support the agency s operations and assets. Accordingly, wireless technologies are typically encompassed by agency information security programs required under FISMA. FISMA also assigns additional information security responsibilities for the Office of Management and Budget (OMB) and NIST. FISMA assigns OMB specific responsibilities, including overseeing the implementation of policies, standards, and guidelines on information security, including ensuring timely agency adoption of and compliance with standards; requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency, or information systems used or operated by or on behalf of an agency; overseeing agency compliance with FISMA requirements; reviewing at least annually, and approving or disapproving, agency information security programs; and annual reporting to Congress on agency compliance with the requirements of FISMA, including significant deficiencies in agency information security practices and planned remedial action to address such deficiencies. In a July 2010 memo, OMB directed the Department of Homeland Security (DHS) to exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA. 9 According to the 8 44 U.S.C. 3544(b). 9 OMB, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (Washington, D.C: July 6, 2010). Page 12

17 memo, DHS is to oversee the implementation of and reporting on information security policies and guidance in federal agencies, oversee agency compliance with FISMA, and annually review agency cybersecurity programs. OMB will continue to report annually to Congress on the progress of agencies compliance with FISMA. According to the Director of Federal Network Security the DHS official responsible for many of DHS s newly assigned FISMA-related activities DHS is beginning its oversight activities through the annual FISMA reporting process that federal agencies are required to follow. The official stated that the department does not currently have any wireless-securityspecific activities under way, but that the department is planning future activities that may address wireless security, including compliance audits and an architecture document. Under FISMA, NIST is responsible for developing standards and guidelines that include minimum information security requirements. Table 2 describes NIST Special Publications (SP) that include guidelines intended to secure wireless technologies. Table 2: Wireless Security Guidelines Identified in NIST Guidelines NIST SP Purpose , Guide to Securing Legacy IEEE Wireless Provides guidelines to organizations in securing their legacy IEEE Networks a WLAN that cannot use the IEEE i standard , Recommended Security Controls for Federal Information Systems and Organizations b , Guide to Intrusion Detection and Prevention Systems c , Establishing Wireless Robust Security Networks: A Guide to IEEE i e Provides guidelines for selecting and specifying security controls for information systems that include wireless access and access controls for mobile devices. Provides a basis for designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention systems including a wireless intrusion detection system. d Assists organizations in understanding, selecting, and implementing technologies based on IEEE i , Guidelines on Cell Phone Forensics f Provides basic information on the preservation, acquisition, examination, analysis, and reporting of digital evidence on cell phones, relevant to law enforcement, incident response, and other types of investigations , User s Guide to Securing External Devices for Telework and Remote Access g Provides guidelines for securing external devices used for telework including wireless home networks and wireless-enabled personal computers. Page 13

18 NIST SP , Recommendation for EAP Methods Used in Wireless Network Access Authentication h Purpose Formalizes a set of core security requirements for extensible authentication protocol (EAP) i for wireless access authentication and key establishment , Guide to Bluetooth Security j Provides information on the security capabilities of Bluetooth and provides recommendations to secure Bluetooth devices effectively , Guidelines on Cell Phone and PDA Security k Provides an overview of cell phone and personal digital assistant (PDA) devices in use today and provides safeguards for securing these devices. Source: GAO analysis of NIST data. a NIST, Guide to Securing Legacy IEEE Wireless Networks, SP Revision 1 (Gaithersburg, MD: July 2008). b NIST, Recommended Security Controls for Federal Information Systems and Organizations, SP Revision 3 (Gaithersburg, MD: August 2009). c NIST, Guide to Intrusion Detection and Prevention Systems (IDPS), SP (Gaithersburg, MD: February 2007). d An intrusion detection system monitors the events occurring in a computer system or network and analyzes them for signs of possible incidents. e NIST, Establishing Wireless Robust Security Networks: A Guide to IEEE i, SP (Gaithersburg, MD: February 2007). f NIST, Guidelines on Cell Phone Forensics, SP (Gaithersburg, MD: May 2007). g NIST, User s Guide to Securing External Devices for Telework and Remote Access, SP (Gaithersburg, MD: November 2007). h NIST, Recommendation for EAP Methods Used in Wireless Network Access Authentication, SP (Gaithersburg, MD: September 2009). i EAP supports multiple authentication methods used when connecting a computer to the Internet. j NIST, Guide to Bluetooth Security, SP (Gaithersburg, MD: September 2008). k NIST, Guidelines on Cell Phone and PDA Security, SP (Gaithersburg, MD: October 2008). NIST is also responsible for administering the United States Configuration Baseline, which is an initiative to create security configuration baselines for information technology (IT) products deployed across federal agencies. In addition to NIST guidelines, other federal agencies have developed guidance for securing wireless technologies. For example, the Department of Defense s Defense Information Systems Agency (DISA) has created a series of security technical implementation guides that address general purpose or multiuse technologies. These guides serve as configuration standards for the Department of Defense s wireless devices and systems. In addition, DISA has made these guides available for other federal agencies to provide them with a baseline level of security. Page 14

19 GAO Has Previously Recommended Improvements to Wireless Network Security Guidance In 2005, we reported that federal agencies lacked key controls for securing wireless networks. 10 We recommended that the Director of OMB instruct federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. Specifically, we recommended that agencywide security programs should include the following security controls. Robust policies for authorizing the use of the wireless networks, identifying requirements, and establishing security controls for wirelessenabled devices in accordance with NIST guidelines. Security configuration requirements for wireless devices that include security tools, such as encryption, authentication, VPN, and firewalls; placement and strength of wireless access points to minimize signal leakage; and physical protection of wireless-enabled devices. Comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to detect signal leakage; ensure compliance with configuration requirements; ensure only authorized access and use of wireless networks; and identify unauthorized wireless-enabled devices and activities in the agency s facilities. Wireless security training for employees and contractors. In response to our recommendations, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of NIST guidelines. In addition, OMB s annual FISMA reporting requirements state that agencies must follow NIST standards and guidelines for non-national security programs and information systems. Since our report was issued, NIST has released 10 GAO Page 15

20 guidelines that address the items identified in our recommendations. These guidelines include NIST SP , Guide to Securing Legacy IEEE Wireless Networks; NIST SP , Recommended Security Controls for Federal Information Systems and Organizations; and NIST SP , Establishing Wireless Robust Security Networks: A Guide to IEEE i (see table 3). Table 3: Guidelines in NIST Publications Addressing Recommendations from GAO Recommendation NIST SP NIST SP NIST SP Area Establish policies X X X Establishing wireless networking security policies, such as infrastructure and client device security; criteria for identifying and implementing security requirements; access controls for portable and mobile devices; and establishing and maintaining robust security for wireless local area networks. Configuration requirements include security tools Configuration requirements address access points Configuration requirements include physical protection Monitoring programs include tools to detect signal leakage Monitoring programs include tools to ensure configuration compliance Monitoring programs include tools to ensure access is authorized Monitoring programs include tools to identify unauthorized access X X Configuring wireless client device security tools and the use of security tools such as personal firewalls, host-based intrusion detection and prevention systems for the protection of wireless clients; the use of VPNs as an alternative method of achieving confidentiality and integrity protection; and security protocols. X Establishing access point configuration and awareness of access point security concerns, including signal boundary considerations. X X Ensuring physical protection of wireless devices such as usage restrictions and implementation guidance for organization-controlled portable and mobile devices. X Determining criteria for conducting site surveys and the use of appropriate wall-mounted antennas to minimize signal leakage. X X Using wireless intrusion detection and prevention systems to determine misconfigured clients and using policy driven software solutions to ensure client devices and users comply with defined WLAN policies. X X X Using wireless intrusion detection and prevention systems to determine whether unauthorized users or devices are attempting to access, have already accessed, or have compromised the WLAN; and performing regular audits using wireless sniffers and other tools to determine whether wireless products are transmitting correctly and on the correct channels. X X X Using wireless intrusion detection and prevention systems to detect suspicious or unauthorized activity and completing site surveys to discover any sources of radio interference. Security training X X X Establishing wireless security awareness and training for employees and contractors to ensure good security practices and prevent inadvertent or malicious intrusions into an organization s information systems. Source: GAO analysis of NIST data. Page 16

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies United States Government Accountability Office Report to Congressional Requesters June 2014 INFORMATION SECURITY Additional Oversight Needed to Improve Programs at Small Agencies GAO-14-344 June 2014 INFORMATION

More information

a GAO-05-383 GAO INFORMATION SECURITY Federal Agencies Need to Improve Controls over Wireless Networks

a GAO-05-383 GAO INFORMATION SECURITY Federal Agencies Need to Improve Controls over Wireless Networks GAO United States Government Accountability Office Report to the Honorable Wm. Lacy Clay, House of Representatives May 2005 INFORMATION SECURITY Federal Agencies Need to Improve Controls over Wireless

More information

GAO. INFORMATION SECURITY Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing

GAO. INFORMATION SECURITY Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing GAO For Release on Delivery Expected at 10:00 a.m. EDT Thursday, July 1, 2010 United States Government Accountability Office Testimony Before the Committee on Oversight and Government Reform and Its Subcommittee

More information

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness United States Government Accountability Office Report to Congressional Committees September 2013 FEDERAL INFORMATION SECURITY Mixed Progress in Implementing Program Components; Improved Metrics Needed

More information

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,

More information

Evaluation Report. Office of Inspector General

Evaluation Report. Office of Inspector General Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

More information

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters May 2010 INFORMATION SECURITY Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing GAO-10-513

More information

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks GAO For Release on Delivery Expected at 10:00 a.m. EDT Tuesday, March 27, 2012 United States Government Accountability Office Testimony Before the Subcommittee on Oversight and Investigations, Committee

More information

GAO. INFORMATION SECURITY Additional Guidance Needed to Address Cloud Computing Concerns

GAO. INFORMATION SECURITY Additional Guidance Needed to Address Cloud Computing Concerns GAO For Release on Delivery Expected at 10:00 a.m. EDT Thursday, October 6, 2011 United States Government Accountability Office Testimony Before the Subcommittee on Cybersecurity, Infrastructure Protection,

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS Karen Scarfone, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Many people

More information

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks WHITE PAPER The Need for Wireless Intrusion Prevention in Retail Networks The Need for Wireless Intrusion Prevention in Retail Networks Firewalls and VPNs are well-established perimeter security solutions.

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

ITL BULLETIN FOR AUGUST 2012

ITL BULLETIN FOR AUGUST 2012 ITL BULLETIN FOR AUGUST 2012 SECURITY OF BLUETOOTH SYSTEMS AND DEVICES: UPDATED GUIDE ISSUED BY THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) Shirley Radack, Editor Computer Security Division

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

POLICY ON WIRELESS SYSTEMS

POLICY ON WIRELESS SYSTEMS Committee on National Security Systems CNSSP No. 17 January 2014 POLICY ON WIRELESS SYSTEMS THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION CHAIR

More information

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER REMOTE ACCESS POLICY OCIO-6005-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III.

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network GAO United States Government Accountability Office Report to the Honorable F. James Sensenbrenner Jr., House of Representatives April 2007 INFORMATION SECURITY FBI Needs to Address Weaknesses in Critical

More information

Wireless Security with Cyberoam

Wireless Security with Cyberoam White paper Cyberoam UTM Wireless Security with Cyberoam Robust, Fault-tolerant security is a must for companies sporting wireless networks. Cyberoam UTM strengthens the existing Wireless Security Architecture

More information

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard The Impact of Wireless LAN Technology on to the PCI Data Security Standard 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Wireless LANs and PCI Retailers today use computers

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Security Controls Over Wireless Technology Were Generally in Place; However, Further Actions Can Improve Security September 26, 2011 Reference Number:

More information

INFORMATION SECURITY. VA Needs to Address Identified Vulnerabilities

INFORMATION SECURITY. VA Needs to Address Identified Vulnerabilities United States Government Accountability Office Report to the Chairman, Committee on Veterans Affairs, House of Representatives November 2014 INFORMATION SECURITY VA Needs to Address Identified Vulnerabilities

More information

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ WWW.LIVINGSTONNJ.ORG ITMC TECH TIP ROB COONCE, MARCH 2008

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ WWW.LIVINGSTONNJ.ORG ITMC TECH TIP ROB COONCE, MARCH 2008 INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ WWW.LIVINGSTONNJ.ORG What is wireless technology? ITMC TECH TIP ROB COONCE, MARCH 2008 In our world today, this may mean sitting down at a coffee

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

a GAO-05-700 GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program

a GAO-05-700 GAO INFORMATION SECURITY Department of Homeland Security Needs to Fully Implement Its Security Program GAO United States Government Accountability Office Report to the Ranking Minority Member, Committee on Homeland Security and Governmental Affairs, U.S. Senate June 2005 INFORMATION SECURITY Department

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2014 May 19, 2015 14-01820-355 ACRONYMS CRISP

More information

Ten Deadly Sins in Wireless Security

Ten Deadly Sins in Wireless Security Ten Deadly Sins in Wireless Security The emergence and popularity of wireless devices and wireless networks has provided a platform for real time communication and collaboration. This emergence has created

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE IAD Best Practices for Securing Wireless Devices and Networks in National Security Systems IAG U/OO/814639-15 13 October

More information

Compliance Risk Management IT Governance Assurance

Compliance Risk Management IT Governance Assurance Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems

More information

INFORMATION SECURITY. Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent

INFORMATION SECURITY. Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent United States Government Accountability Office Report to Congressional Requesters December 2013 INFORMATION SECURITY Agency Responses to Breaches of Personally Identifiable Information Need to Be More

More information

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014 U.S. Department of Energy Office of Inspector General Office of Audits and Inspections EVALUATION REPORT The Department of Energy's Unclassified Cybersecurity Program 2014 DOE/IG-0925 October 2014 Department

More information

Department of Veterans Affairs

Department of Veterans Affairs OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2010 May 12, 2011 10-01916-165 FISMA NIST OIG OMB POA&M ACRONYMS AND ABBREVIATIONS

More information

Wireless Local Area Network Deployment and Security Practices

Wireless Local Area Network Deployment and Security Practices HIGHLIGHTS AUDIT REPORT Wireless Local Area Network Deployment and April 24, 2014 Report Number HIGHLIGHTS BACKGROUND: The U.S. Postal Service is committed to providing a high quality, secure, and cost-effective

More information

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI Solution for Retail: Addressing Compliance and Security Best Practices PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment

More information

GAO INFORMATION SECURITY. Weaknesses Continue Amid New Federal Efforts to Implement Requirements. Report to Congressional Committees

GAO INFORMATION SECURITY. Weaknesses Continue Amid New Federal Efforts to Implement Requirements. Report to Congressional Committees GAO United States Government Accountability Office Report to Congressional Committees October 2011 INFORMATION SECURITY Weaknesses Continue Amid New Federal Efforts to Implement Requirements GAO-12-137

More information

Wireless Network Standard and Guidelines

Wireless Network Standard and Guidelines Wireless Network Standard and Guidelines Purpose The standard and guidelines listed in this document will ensure the uniformity of wireless network access points and provide guidance for monitoring, maintaining

More information

Wireless Local Area Network Deployment and Security Practices

Wireless Local Area Network Deployment and Security Practices Wireless Local Area Network Deployment and Security Practices Audit Report Report Number IT-AR-14-005-DR April 24, 2014 Highlights Our objectives were to determine whether the Postal Service has effective

More information

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE

More information

GAO INFORMATION SECURITY. Fundamental Weaknesses Place EPA Data and Operations at Risk. Testimony

GAO INFORMATION SECURITY. Fundamental Weaknesses Place EPA Data and Operations at Risk. Testimony GAO United States General Accounting Office Testimony INFORMATION SECURITY Fundamental Weaknesses Place EPA Data and Operations at Risk Statement of David L. McClure Associate Director, Governmentwide

More information

Industrial Communication. Securing Industrial Wireless

Industrial Communication. Securing Industrial Wireless Industrial Communication Whitepaper Securing Industrial Wireless Contents Introduction... 3 Wireless Applications... 4 Potential Threats... 5 Denial of Service... 5 Eavesdropping... 5 Rogue Access Point...

More information

GAO INFORMATION SECURITY. The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network

GAO INFORMATION SECURITY. The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network GAO United States Government Accountability Office Report to the Chairman, Committee on Finance, U.S. Senate August 2006 INFORMATION SECURITY The Centers for Medicare & Medicaid Services Needs to Improve

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

Wireless LANs and Healthcare: Understanding Security to Ensure Compliance with HIPAA

Wireless LANs and Healthcare: Understanding Security to Ensure Compliance with HIPAA : Understanding Security to Ensure Compliance with HIPAA Healthcare is a natural environment for wireless LAN solutions. With a large mobile population of doctors, nurses, physician s assistants and other

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

GAO INFORMATION SECURITY. Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains. Report to Congressional Requesters

GAO INFORMATION SECURITY. Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters June 2008 INFORMATION SECURITY Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains

More information

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks. Table of Contents Section 1: Executive summary...1 Section 2: The challenge...2 Section 3: WLAN security...3 and the 802.1X standard Section 4: The solution...4 Section 5: Security...4 Section 6: Encrypted

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

TITLE III INFORMATION SECURITY

TITLE III INFORMATION SECURITY H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted

More information

INFORMATION SECURITY. FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain

INFORMATION SECURITY. FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain United States Government Accountability Office Report to the Chairman, Federal Deposit Insurance Corporation July 2014 INFORMATION SECURITY FDIC Made Progress in Securing Key Financial Systems, but Weaknesses

More information

CYBERSECURITY Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies

CYBERSECURITY Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies United States Government Accountability Office Testimony before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives

More information

Link Layer and Network Layer Security for Wireless Networks

Link Layer and Network Layer Security for Wireless Networks White Paper Link Layer and Network Layer Security for Wireless Networks Abstract Wireless networking presents a significant security challenge. There is an ongoing debate about where to address this challenge:

More information

FEDERAL INFORMATION SECURITY

FEDERAL INFORMATION SECURITY United States Government Accountability Office Report to Congressional Committees September 2015 FEDERAL INFORMATION SECURITY Agencies Need to Correct Weaknesses and Fully Implement Security Programs GAO-15-714

More information

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance WHITE PAPER Wireless LAN Security for Healthcare and HIPAA Compliance Wireless LAN Security for Healthcare and HIPAA Compliance Wireless deployments in healthcare institutions have accelerated as mobility

More information

Enabling Staff with Secure Mobile Technology in an Increasingly Risky World

Enabling Staff with Secure Mobile Technology in an Increasingly Risky World Enabling Staff with Secure Mobile Technology in an Increasingly Risky World Dan Campbell March 27, 2012 301-841-7400 Mobility = Mission Critical Mobility is no longer a luxury, it s a necessity Organizations

More information

National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893)

National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893) National Institute of Standards and Technology (NIST) The Information Technology Lab Computer Security Division (893) Now What? What does NIST have for you to use and how do you get it? How do you contact

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter Introduction Who are we? Matt Moore, Senior Consultant @ PenTest Ltd. Mark Rowe, Technical Director @ PenTest Ltd. What

More information

Wireless Network Security

Wireless Network Security Wireless Network Security Bhavik Doshi Privacy and Security Winter 2008-09 Instructor: Prof. Warren R. Carithers Due on: February 5, 2009 Table of Contents Sr. No. Topic Page No. 1. Introduction 3 2. An

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture State of Kansas Interim Wireless Local Area Networks Security and Technical Architecture October 6, 2005 Prepared for Wireless Policy Committee Prepared by Revision Log DATE Version Change Description

More information

ORDER 1370.108. National Policy. Effective Date 09/21/09. Voice Over Internet Protocol (VoIP) Security Policy SUBJ:

ORDER 1370.108. National Policy. Effective Date 09/21/09. Voice Over Internet Protocol (VoIP) Security Policy SUBJ: National Policy ORDER 1370.108 Effective Date 09/21/09 SUBJ: Voice Over Internet Protocol (VoIP) Security Policy 1. Purpose of This Order. This Order establishes the Federal Aviation Administration s (FAA)

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR

More information

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003

Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003 Wi-Fi Protected Access: Strong, standards-based, interoperable security for today s Wi-Fi networks Wi-Fi Alliance April 29, 2003 2003 Wi-Fi Alliance. Wi-Fi is a registered trademark of the Wi-Fi Alliance

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR

More information

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance WHITEPAPER Wireless LAN Security for Healthcare and HIPAA Compliance Wireless LAN Security for Healthcare and HIPAA Compliance Wireless deployments in healthcare institutions have accelerated as mobility

More information

WHITE PAPER. Preventing Wireless Data Breaches in Retail

WHITE PAPER. Preventing Wireless Data Breaches in Retail WHITE PAPER Preventing Wireless Data Breaches in Retail Preventing Wireless Data Breaches in Retail The introduction of wireless technologies in retail has created a new avenue for data breaches, circumventing

More information

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program FINAL REPORT NO. OIG-12-037-A SEPTEMBER 27, 2012 U.S. Department of Commerce Office

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

GAO INFORMATION SECURITY. Actions Needed by Census Bureau to Address Weaknesses. Report to Congressional Requesters

GAO INFORMATION SECURITY. Actions Needed by Census Bureau to Address Weaknesses. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters January 2013 INFORMATION SECURITY Actions Needed by Census Bureau to Address Weaknesses GAO-13-63 January 2013 INFORMATION

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK

INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK MARCH 28, 2011 AUDIT REPORT OFFICE OF AUDITS INADEQUATE SECURITY PRACTICES EXPOSE KEY NASA NETWORK TO CYBER ATTACK OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration REPORT NO. IG-11-017

More information

HEALTHCARE.GOV. Information Security and Privacy Controls Should Be Enhanced to Address Weaknesses

HEALTHCARE.GOV. Information Security and Privacy Controls Should Be Enhanced to Address Weaknesses United States Government Accountability Office Testimony Before the Committee on Oversight and Government Reform, House of Representatives For Release on Delivery Expected at 11:00 a.m. ET Thursday, September

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Modernization Act Audit for Fiscal Year 2015 March 15, 2016 15-01957-100 ACRONYMS

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

More information

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes

More information

WLAN Security Why Your Firewall, VPN, and IEEE 802.11i Aren t Enough to Protect Your Network

WLAN Security Why Your Firewall, VPN, and IEEE 802.11i Aren t Enough to Protect Your Network WLAN Security Why Your Firewall, VPN, and IEEE 802.11i Aren t Enough to Protect Your Network 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Executive Summary Wireless

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

INFORMATION SECURITY. SEC Needs to Improve Controls over Financial Systems and Data

INFORMATION SECURITY. SEC Needs to Improve Controls over Financial Systems and Data United States Government Accountability Office Report to the Chair, U.S. Securities and Exchange Commission April 2014 INFORMATION SECURITY SEC Needs to Improve Controls over Financial Systems and Data

More information

Ensuring HIPAA Compliance in Healthcare

Ensuring HIPAA Compliance in Healthcare The Intelligent Wireless Networking Choice WHITE PAPER Ensuring HIPAA Compliance in Healthcare Overview Wireless LANs are prevalent in healthcare institutions. The constant need for mobility among doctors,

More information

Department of Homeland Security Office of Inspector General

Department of Homeland Security Office of Inspector General Department of Homeland Security Office of Inspector General Vulnerabilities Highlight the Need for More Effective Web Security Management (Redacted) OIG-09-101 September 2009 Office of Inspector General

More information

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1 APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and

More information

Link Layer and Network Layer Security for Wireless Networks

Link Layer and Network Layer Security for Wireless Networks Link Layer and Network Layer Security for Wireless Networks Interlink Networks, Inc. May 15, 2003 1 LINK LAYER AND NETWORK LAYER SECURITY FOR WIRELESS NETWORKS... 3 Abstract... 3 1. INTRODUCTION... 3 2.

More information

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline Overview The following note covers information published in the PCI-DSS Wireless Guideline in July of 2009 by the PCI Wireless Special Interest Group Implementation Team and addresses version 1.2 of the

More information

XX-XXX Wireless Local Area Network Guidelines. Date: August 13, 2003 Date Adopted by NITC: Other:

XX-XXX Wireless Local Area Network Guidelines. Date: August 13, 2003 Date Adopted by NITC: Other: Nebraska Information Technology Commission TECHNICAL STANDARDS AND GUIDELINES Wireless Local Area Network Guidelines Category Title Number Security Architecture Wireless Local Area Network Guidelines Applicability

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003

Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003 Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003 Executive Summary The threat to network security from improperly secured WLANs is a real and present danger for today s enterprises.

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

INFORMATION SECURITY

INFORMATION SECURITY United States Government Accountability Office Report to the Chairman, Federal Deposit Insurance Corporation June 2016 INFORMATION SECURITY FDIC Implemented Controls over Financial Systems, but Further

More information

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards GAO United States Government Accountability Office Report to Congressional Requesters September 2011 PERSONAL ID VERIFICATION Agencies Should Set a Higher Priority on Using the Capabilities of Standardized

More information

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer

Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan

More information

NIST Cyber Security Activities

NIST Cyber Security Activities NIST Cyber Security Activities Dr. Alicia Clay Deputy Chief, Computer Security Division NIST Information Technology Laboratory U.S. Department of Commerce September 29, 2004 1 Computer Security Division

More information

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The

More information